limit the PCE's full s3 access to the deployed data bucket (#1743)

Summary:
Pull Request resolved: #1743

For partner side deployments. For other usages it will still default to the
current AmazonS3FullAccess arn for now.

Reviewed By: ankushksingh, ajaybhargavb, anthonyzhang25

Differential Revision: D40406015

fbshipit-source-id: c9f91369fc9cd2e00b53667e4eb3927c756ade18

Author: marksliva

fbpcs/infra/cloud_bridge/deploy.sh

@@ -86,6 +86,7 @@ undeploy_aws_resources() {
         -var "aws_region=$region" \
         -var "tag_postfix=$tag_postfix" \
         -var "aws_account_id=$aws_account_id" \
+        -var "s3_access_arn=$data_bucket_policy_arn" \
         -var "pce_id=$pce_id"
     echo "Finished undeploying AWS resources under PCE_shared."
     echo "Start undeploying AWS resource under PCE..."
@@ -181,10 +182,16 @@ undeploy_aws_resources() {
     fi
     echo "######################## Undeploy resources policy ########################"
     log_streaming_data "Undeploying resources policies..."
+    echo "Deleting policy: $policy_name"
     cd /terraform_deployment
     python3 cli.py destroy aws \
         --delete_iam_policy \
         --policy_name "$policy_name"
+
+    echo "Deleting data bucket policy: $data_bucket_policy_name"
+    python3 cli.py destroy aws \
+        --delete_iam_policy \
+        --policy_name "$data_bucket_policy_name"
     echo "######################## Finished undeploy resources policy ########################"
 
     log_streaming_data "finished undeploying all AWS resources "
@@ -211,6 +218,18 @@ deploy_aws_resources() {
     # Create the S3 data bucket if it doesn't exist
     log_streaming_data "creating s3 data bucket, if it does not exist"
     validate_or_create_s3_bucket "$s3_bucket_data_pipeline" "$region" "$aws_account_id"
+
+    # Create data bucket policy
+    echo "########################Create data bucket policy########################"
+    cd /terraform_deployment
+    python3 cli.py create aws \
+        --add_iam_policy \
+        --policy_name "$data_bucket_policy_name" \
+        --template_path "$fb_pc_data_bucket_policy" \
+        --region "$region" \
+        --data_bucket_name "$s3_bucket_data_pipeline"
+    echo "########################Done creating data bucket policy########################"
+
     # Deploy PCE Terraform scripts
     onedocker_ecs_container_image='539290649537.dkr.ecr.us-west-2.amazonaws.com/one-docker-prod:latest'
     publisher_vpc_cidr='10.0.0.0/16'
@@ -229,6 +248,7 @@ deploy_aws_resources() {
         -var "tag_postfix=$tag_postfix" \
         -var "aws_account_id=$aws_account_id" \
         -var "onedocker_ecs_container_image=$onedocker_ecs_container_image" \
+        -var "s3_access_arn=$data_bucket_policy_arn" \
         -var "pce_id=$pce_id"
     echo "######################## Deploy PCE SHARED Terraform scripts completed ########################"
     # Store the outputs into variables
@@ -427,6 +447,9 @@ data_upload_key_path="semi-automated-data-ingestion"
 query_results_key_path="query-results"
 data_ingestion_lambda_name="cb-data-ingestion-stream-processor${tag_postfix}"
 fb_pc_iam_policy="/terraform_deployment/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_iam_policy.json"
+fb_pc_data_bucket_policy="/terraform_deployment/fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_data_bucket_policy.json"
+data_bucket_policy_name="fb-pc-data-bucket-policy${tag_postfix}"
+data_bucket_policy_arn="arn:aws:iam::${aws_account_id}:policy/${data_bucket_policy_name}"
 
 if "$undeploy"
 then

fbpcs/infra/cloud_bridge/deployment_helper/aws/iam_policies/fb_pc_data_bucket_policy.json

@@ -0,0 +1,43 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${DATA_BUCKET_NAME}",
+                "arn:aws:s3:::${DATA_BUCKET_NAME}/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:Describe*",
+                "s3:Get*",
+                "s3:List*"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Effect": "Deny",
+            "Action": [
+                "s3:*"
+            ],
+            "NotResource": [
+                "arn:aws:s3:::${DATA_BUCKET_NAME}",
+                "arn:aws:s3:::${DATA_BUCKET_NAME}/*"
+            ],
+            "Condition": {
+                "StringEquals": {
+                    "s3:ResourceAccount": [
+                        "${ACCOUNT_ID}"
+                    ]
+                }
+            }
+        }
+    ]
+}

fbpcs/infra/pce/aws_terraform_template/common/pce_shared/iam.tf

@@ -51,5 +51,5 @@ resource "aws_iam_role_policy_attachment" "ecs-task-execution-role-policy-attach
 
 resource "aws_iam_role_policy_attachment" "task_s3" {
   role       = aws_iam_role.onedocker_ecs_task_role.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+  policy_arn = var.s3_access_arn
 }

fbpcs/infra/pce/aws_terraform_template/common/pce_shared/variable.tf

@@ -22,3 +22,9 @@ variable "pce_id" {
   type        = string
   description = "The identifier for marking the cloud resources are in PCE"
 }
+
+variable "s3_access_arn" {
+  type        = string
+  description = "The s3 arn that the PCE can access"
+  default     = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}